After 7 years as a U.S. Marine, I went to school at a local community college.
I graduated from Cisco Network Academy in '06 and started my first job as a Network Consultant for SMB. I now work as a Network administrator for a Food manufacturing company.
I am always interested in learning new things. I am a CCNA, MCP, and will soon be a VCP.

Thank you so much, do you know what the rollback timer is? Seems to be some kind of mechanism for automatically going to a safe configuration.
I really don't have any need to use this feature. But, I need to figure out if there is something else that I need to do to ensure that it doesn't just go back after I upgrade.
Does the reload clear the rollback? ie once the reload is complete, it doesn't rollback.
... View more

Hello,
I have a WS-C3650-24PD that I need to upgrade from 03.03.04SE to a newer version. Not counting the time to transfer from the tftp server, how long should that take?
I am planning to use the software install file command listed here:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/system_management/configuration_guide/b_sm_3se_3650_cg/b_sm_3se_3650_cg_chapter_010101.html
I'm just trying to figure out how long of a window I should plan for. I'm thinking 30 minutes would be fine, but I wasn't sure.
Thanks, Ben
... View more

Hello,
We have an issue that we could use some help with.
We have 5 workstations in a production environment. because the workstations consist of several network-connected devices, we deploy access points as work group bridges. So, the Wireless client is a AIR-CAP702W-A-K9 in autonomous mode as a work group bridge. The workstations move around the production floor, so they need to be able to connect to any of the APs.
In the ceiling we have 3 AIR-CAP2702E-A-K9 in lightweight mode. They are managed by a AIR-CT5508-K9 WLC.
The weird thing is that we have a tough time making sure that they 702s consistently connect to their nearest AP. We will go into WLC and see that a 702 is associated to an AP on the other side of the room. Or, we'll find that all 5 702s are associated to the same AP, even though it isn't the nearest one. This creates some intermittent performance issues.
My question is: are there any Cisco features available that will help them make smarter decisions about which AP they associate with?
Thanks
... View more

Hello,
I am running an MPLS and need to implement QoS services across it. The provider has given me with their QoS documentation. I've read it and the QoS is based on IP Precedence bits.. I can designate up to four queues and chose a variety of options to make it behave in a certain way. I have a selected queuing option and template.
So, now I am seeking guidance on how to best to configure my network. On one end, I have a 3650 Switch with IP base on the other end I have a 2811 router with IP voice.
I have my different classes of applications in different subnets. Which, should give the ability to use ACLs to identify track and then set IPP bits.
My question is, where is a good document that can help with this configuration? I am pretty comfortable with the ACLs, but not so much with the IPP portion. I have some tolerance for time, so I am trying to do the research and work the process and do it myself. Hope for whitepapers, kb articles, or maybe even buy a book.
Thanks
... View more

Hello Everyone,
I am looking at modifying my VPN configuration and would like a little feedback.
Above is an diagram of my network. I have a ASA5505 on the left and a ASA5510 on the right . The site to site vpn between green networks is up and running well. I have a server in the DMZ that remote clients access.
I have developed a need to connect the 10.44.0.0 /16 network to the 192.168.23.10 address.
Of course, I know that I will have to add that to the vpn configurations and built nat exception rules. I'll have to do it in a way that doesn't keep the remote clients from connecting, but if I am specific with the NAT exception, that shouldn't be an issue.
Are there any other issues that I am missing? Are there any caveats that would require the VPN to have all local subnets on the same interface?
Thanks,
... View more

Hello everyone, I have a question about the limitations with an ASA5505. I am starting a new network and happened to have a 5505 on the shelf. So, I figured I would get started with it. The ASA that I am currently planning to bring is a ASA5505-BUN-K9. This is the 10-user bundle. I thought that this would cover my immediate needs, however, some other things cropped up that is making me think that it may not. I'd break it out and just try these things out myself, but it is on a truck and the next time when I have it in my hands will be while I am trying to make it work. So, I have the following questions: Should this support DMZ? I know it has 8 ports. So, I could make one for the outside, one for the dmz, and the other 6 for the inside. Should the 10-user license support that, or do I need to go to security plus? I believe there is a 10 user limit on this. How is this enforced? Does this mean that it will only route traffic for 10 hosts? I don’t believe that I will have 10 users actually accessing the internet, but I may have more than 10 devices. Some of those devices would have traffic going through a site-to-site VPN. Perhaps it controls it through NAT, in which case the devices (since they would be nat excempt) would not count? Thanks, Ben
... View more

Hi, I ran into a small problem the other day that I'd like to get some feedback on. I was connecting a Catalyst 3560 switch and an Allen Bradley Stratix switch via Fiber with LC Connectors. I couldn't get the ports to light up and kept getting "High Power" errors on the stratix end. (I didn't pull the exact logs). On the catalyst end, I was using a Cisco Branded GBIC. On the Stratix end, I was using an Allen Bradley branded GBIC. I wound up putting a Cisco GBIC into the stratix switch and after that everything lit up all right. Is there a stated requirement to have the same GBIC on both ends? Is there a best practice configuration that I should review to compare to my own? This is our first time connecting the stratix and the catalyst via fiber, so I am just trying to do it right. ;-)
... View more

Hello, Can anyone recommend any resources (white papers, books, etc) that can help me understand the ASA's IPS SSM? I activated one once before, but that had been a while. Seems like there was a labl somewhere that took it step-by-step, but I can't seem to find it. Thanks, Ben
... View more

Hello, I have about 20 switches in my enviornment. for some reason, I can't get interface utilization on Cisco netManager. At one time, I had this running, but someone it doesn't seem to be. Maybe there is something wrong with my config. So, I will use the most important switch, a 3750 as the example. This is runnning version 12.2 (55) SE4 of the IOS. This is a common configuration for the switchport: interface GigabitEthernet1/0/6 description UPLINK PORT switchport trunk encapsulation dot1q switchport mode trunk priority-queue out mls qos trust dscp This is the snmp portion of the config: snmp-server community bpsnmp RO snmp-server location springfeild MDF 3750 snmp-server host 192.168.110.34 bpsnmp This snmp server is Cisco netManager. I have it configured with the right credentials and it's showing that device is up via snmp & icmp. But for some reason it doesn't want to collect or maintain any interface utilization information. For that matter, it netManager isn't really retaining any data. So, maybe the problem is more on the netManager end. But, I wanted to verify that there isn't anything in particular that I should be putting on the switch. Thanks, Ben
... View more

Hello Everyone, Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them. I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates? Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one. Thanks, Ben
... View more

Hello Everyone, We are considering order the AP541N for our network. A few questions... 1). Are there multiple models of the AP541N? or just one cisco part number? 2). I am assuming the basic antenna comes with it. Please advise if this is something that I need to buy seperate. 3). Are there part numbers for the POE injector? Can anyone help me with the part numbers on the AP541N and the poe injectors? 4). We would buy a couple of these and run them in cluster mode. My understanding is that I won't need a controller. Do I need to buy a certain model to use the clustering or is that available on all the AP541N? 5). Can I have this talk to active directory to authenticate users? Is that tough to do? Do I need install some kind of agent on a domain controller? I have configured the ASA to use Active Directory for authentications. Should it be any more difficult that that? I have setup a few other Cisco APs before and am generally familair with wireless. But, I am not a "wireless expert" and don't have any experience with this particular product. Thanks, Ben
... View more

Hello Everyone, I am working on a solution that I would like to get some feedback on. I few months ago we deployed iPhones with some of our employees. As part of this, we used the Cisco Anyconnect client on the iPhone. We have a Cisco ASA 5510 on our network and configured it as a certificate authority. So, I download the certificate with Internet Explorer and transfer it to the iPhone via the iPhone configuration utility. I then dowload the anyconnect app from the appstore and configure it to connect to our asa and use the certificate to authenticate. we also use the "connect on demand" feature. But, some users (who don't mind the manual connect) don't use it. Overall, it seems to work okay. Usually it connects within a few seconds. Sometimes it takes 30-45 seconds. However, they report that they sometimes loose the ability to connect to the VPN. the anyconnect client tries to connect. But, it just spins and spins. I checked the logs on the ASA and there is no indication that it's trying to connect. The fix is to delete the anyconnect app and re-download/install it from the appstore. We typically have to do this every couple of weeks. it seems to be worse when the person flies to another State. All of our iPhone users have experienced this from time to time. All of our iPhone users are on Verizon. Has anyone else had any troubles like this? Any suggestions or comments? Thanks, Ben
... View more

Hello, I have an ASA5510 that I am working with. I have it configured for remote access vpn with both the IPSEC client and the anyconnect client. I need to put a vpn client on a computer running Windows Vista Home Premium 64-bit. What is the recommended client? Should I go with the ipsec client or the anyconnect client? Are there seperate executables for 64bit and 32bit? I just wanted to work very reliably. I have had alot of problems with the ipsec client on vista 64bit. But, that was with older versions. I wasn't sure which would be the path of least resistance here. Thanks, Ben
... View more

Hello Everyone. I appreciate that this is an unusual topic for this forum, but I hope you will bear with me. I am a network admin at a mid size organization. I am looking to further my career and possibly specialize in the security. I am seeking recommendations on industry recognized accredited schools that offer online Bachelor's degrees in IT, Networking, Network Security, etc. Thanks, Ben
... View more

Hi Guys, I am in the process of setting up our first iPhone with via access to our corporate network via the Anyconnect client and our ASA. It's going pretty well, I just have a "best practice" question about split tunnelling. This is my understanding of split tunelling... By default, split tunneling is disabled. This forces the vpn client to route all network/internet traffic through the VPN. However, we have an option of enabling split tunnelling and allowing the cilent to route some traffic through the vpn and some directly, unencrypted through the local network. My understanding is that this is basicly a trade off between performance and security. The more secure method routes everything through the VPN. Given that the corporate network is going to have a stronger firewall than the endpoint, this is going to eliminate the chance of opening up a "backdoor" to the network through the endpoint. On the other hand, now all internet traffic (and that which is not intended for the corporate network) now has to go through the corporate network first, creating delay. So, this creates a performance degradation. This is basicly my understanding of the split tunnel question, that it's basicly a performance vs security question to determine if it should be allowed. At any rate, these are my questions.... 1). Is there something that I am missing here? Is there also a feasibility question. I usually disable split tunneling, so I am wondering if there might be some things that don't work if I enabled it. 2). Is there anything about the anyconnect client and/or iOS that makes it more secure and therefor would make it more secure to allow split tunneling? 3). With split tunneling disabled, the routing is fairly straight forward. However, it seems like, once enabling split tunneling, you the routing on the anyconnect client becomes much more disabled. Does the ASA provide it's whoel routing table to the client, or just directly connected networks? Any ideas or suggestions would be great. Thanks, Ben
... View more